Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-06-2024 07:44

General

  • Target

    0741a1830a1533d499c2038768d3deae_JaffaCakes118.exe

  • Size

    192KB

  • MD5

    0741a1830a1533d499c2038768d3deae

  • SHA1

    b91e7a8b69a4c8e6887ea2302fa44ee74c29b681

  • SHA256

    06827da10ded8e21904644041887240a152352a2709a326bab95e637866ccb43

  • SHA512

    3ed8b51527f4b67f8e3bfa6199c835fab1d56f6490ad5b17ab684f75d1ac2a6f39888c2ed345cd47e850e61e40ff76ccd024d1b12019477b2807c100039f02bd

  • SSDEEP

    3072:naDiCoKnWncEiArFyThA+l3qMbcE701jPh8/4Oha:aDRoKnWncsrFyTm+l35cEYpGAO

Score
10/10

Malware Config

Signatures

  • Gh0st RAT payload 4 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 7 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Program crash 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0741a1830a1533d499c2038768d3deae_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0741a1830a1533d499c2038768d3deae_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5036
    • \??\c:\users\admin\appdata\local\fvgmrlwrlx
      "C:\Users\Admin\AppData\Local\Temp\0741a1830a1533d499c2038768d3deae_JaffaCakes118.exe"a -sc:\users\admin\appdata\local\temp\0741a1830a1533d499c2038768d3deae_jaffacakes118.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of AdjustPrivilegeToken
      PID:1232
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2396
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 1088
      2⤵
      • Program crash
      PID:3184
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2396 -ip 2396
    1⤵
      PID:2160
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      PID:3992
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 1100
        2⤵
        • Program crash
        PID:1048
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3992 -ip 3992
      1⤵
        PID:2800
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
        1⤵
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        PID:2284
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 1096
          2⤵
          • Program crash
          PID:3040
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2284 -ip 2284
        1⤵
          PID:676

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\fvgmrlwrlx

          Filesize

          21.8MB

          MD5

          57279d3bab0b3bc0839959598d52e467

          SHA1

          7268377ecb93a5c168c91b76753790be336d51af

          SHA256

          b2471e39a552370a410c6b1a9aa7c000515f2589a767f4911d1ef646f2246fd2

          SHA512

          e3d50f0e2096db13e0eea8c5b4c8e49a810c7d94d68aa7bd4ffb1868555694bae4942fbca71c8fb42142cce2d8c616e46610dfae3b32f3aad5ec76fa7d0358b2

        • C:\Windows\SysWOW64\svchost.exe.txt

          Filesize

          202B

          MD5

          73295fb61f4c88eb0551b7286c9bb0fd

          SHA1

          717a095f8056741580bd3ca57d11aea871ae4f41

          SHA256

          c894458e86df47dc4b1bce236acfdbe82db28588065afb04b367331ef64e896e

          SHA512

          59182c85d106797c99c1e1bc45d356a942e90827b1020a2441181ba448b2abcecddc3198b9e4c16344164c984676babb96ffa39f6aaefc2c553d17bdf19a671e

        • C:\Windows\SysWOW64\svchost.exe.txt

          Filesize

          303B

          MD5

          f7041a0ff8d22cdccf139f62fb1dedba

          SHA1

          01f0ceabcfd99ddf324c8b10e145a0de243959b5

          SHA256

          72db2ec91a5032efa93ae9f8fea33741c8a76b5b1c9dd33cd526e50ba86785d8

          SHA512

          d9b133f59517af74f9337f5f6faa63a53c4de3c62db9da24fe975665848b2d42b94b07c12032ac43066454ba29f8fe7d7daf6ca24c7b10a54303ce5f355e5530

        • \??\c:\program files (x86)\google\%sessionname%\lonkx.cc3

          Filesize

          24.0MB

          MD5

          7d16052214017619898ca57229879e7a

          SHA1

          987ba1f82b734297e4b5a895c281240d202a1508

          SHA256

          b5da27a5e8479982c32e62ac56a1f0742badb9a09f0851e8fe67ab3919ce94d4

          SHA512

          4d317c2dc991813da757c41728ac0564c291e8b963d6705bda6964d98993f39c56bca9e182cd090350b184bbd5ff660479e958a6fcd908ab1662c3a6df7024f8

        • memory/2284-18-0x00000000019F0000-0x00000000019F1000-memory.dmp

          Filesize

          4KB

        • memory/2284-21-0x0000000020000000-0x0000000020027000-memory.dmp

          Filesize

          156KB

        • memory/2396-9-0x0000000001380000-0x0000000001381000-memory.dmp

          Filesize

          4KB

        • memory/2396-11-0x0000000020000000-0x0000000020027000-memory.dmp

          Filesize

          156KB

        • memory/3992-13-0x00000000013D0000-0x00000000013D1000-memory.dmp

          Filesize

          4KB

        • memory/3992-16-0x0000000020000000-0x0000000020027000-memory.dmp

          Filesize

          156KB